Nothing. I didn't mean to belittle all that you've done and accomplished, so sorry if it comes across that way.

Nah, don't apologize. These three desperados didn't do much other than some brilliant marketing on themselves. Oh, and lie about them being general partners of Bitcoinica. Oh and also take down their shitty "Bitcoin Consultancy" website to cover their asses.

They are the three stooges of the Bitcoin world as they clearly demonstrated by their inefficacy and the multiple retarded posts on this thread.

GOX SUX COX!The true faces of the Bitcoinica / Intersango SCAM! - Bitcoin was born in the shad0ws, for the shad0ws.

Nothing. I didn't mean to belittle all that you've done and accomplished, so sorry if it comes across that way.

Nah, don't apologize. These three desperados didn't do much other than some brilliant marketing on themselves. Oh, and lie about them being general partners of Bitcoinica. Oh and also take down their shitty "Bitcoin Consultancy" website to cover their asses.

They are the three stooges of the Bitcoin world as they clearly demonstrated by their inefficacy and the multiple retarded posts on this thread.

To the person above, here's what happened:- Bitcoinica has an internet mailing list called info@bitcoinica.com- It was the email for the website and all sensitive accounts.- You could request a password for that email. In a production system, that should never be possible.- Several people had access to this mailing list (non-admins and business people included).- Patrick got added.- His personal email was compromised. Normally this shouldn't be a big deal; I use my personal email at internet cafes and public computers.- Attacker was able to request a new password and login to rackspace.

The assumption here was that info@bitcoinica.com did not have access to critical infrastructure.

Lastly, it was my fault Patrick's email server got compromised. I had a VPS for programming and development which many people had access to - randoms from #c++ IRC, people from this forum, beginners I was teaching .etc It's a public VPS for development. The SSH key on there was added to Patrick's server because we were developing the bitcoinconsultancy.com website on there (that's why it's now down). My SSH key was stolen and he ssh'ed into the box. Then had access to his emails.

Patrick requested him to be added because he wanted to reset server root passwords. And he did receive several email reset confirmations. Whether the email is his personal email or work email, it shouldn't matter. It's the same email that he use to receive the confirmations and all Bitcoinica sensitive emails.

The attacker didn't think the email account was a big deal either, until he saw the password reset confirmations. The hacker then found out the Rackspace Cloud username "bitcoinica" using the "forgot username" option, which means that the hacker didn't even initially realise the association between bitcoinica and the hacked email account.

EDIT:

I didn't blame Patrick for the email compromise. It's the hacker's fault, not his.

But Donald and Amir keep mentioning that the access control system is improper. Patrick is the only guy in Bitcoinica Consultancy who had access to critical data. I didn't give the permission to anyone else. And I didn't get compromised either.

If I was adding everyone to the mailing list, that would be unacceptable. But I added patrick@bitcoinconsultancy.com (which he told me), and you're telling me I should treat it as personal email and non-critical.

To the person above, here's what happened:- Bitcoinica has an internet mailing list called info@bitcoinica.com- It was the email for the website and all sensitive accounts.- You could request a password for that email. In a production system, that should never be possible.- Several people had access to this mailing list (non-admins and business people included).- Patrick got added.- His personal email was compromised. Normally this shouldn't be a big deal; I use my personal email at internet cafes and public computers.- Attacker was able to request a new password and login to rackspace.

The assumption here was that info@bitcoinica.com did not have access to critical infrastructure.

Lastly, it was my fault Patrick's email server got compromised. I had a VPS for programming and development which many people had access to - randoms from #c++ IRC, people from this forum, beginners I was teaching .etc It's a public VPS for development. The SSH key on there was added to Patrick's server because we were developing the bitcoinconsultancy.com website on there (that's why it's now down). My SSH key was stolen and he ssh'ed into the box. Then had access to his emails.

You gave out root access to vps? Attacker uses su to be your username and then simply ssh into email server? But as reg user cannot read everyones email...Or you put root ssh key on email server which allowed full ownage of email server combined With giving out root access? You trust people on irc or this forum?

The fail is great with this situation. Figures this hack took no real skills. It is rare person who can code 0day and ifThey could you can sell it for same amount stolen in hack if 31337 elite linux remote root on popular daemonLike apache or email daemon.

Will somebody just admit whether there is a backup of the user database or not?

Man up zhou.

There is NO BACKUP. Think about this: PASSWORDS WERE SALTED. There was NO NEED for a claim form. They could have let the users simply login into their account to authenticate.

Not to mention those users using google authenticator.

The form is there because there is jack shit in terms of data.

If this is the case, I blame zhou for that. A 17-year old boy with zero contingency plans, twice demonstrated (shame on me). (and furthermore, I will never use his new domain manager service or any other).

How does he suppose to process claims without a user database backup is my only lingering question?

genjix and zhou: get a room. you belong together.

MagicalTux handled his shit last year, because he was a twenty-five year old man. Long-live MtGox.

Will somebody just admit whether there is a backup of the user database or not?

Man up zhou.

There is NO BACKUP. Think about this: PASSWORDS WERE SALTED. There was NO NEED for a claim form. They could have let the users simply login into their account to authenticate.

Not to mention those users using google authenticator.

The form is there because there is jack shit in terms of data.

If this is the case, I blame zhou for that. A 17-year old boy with zero contingency plans, twice demonstrated (shame on me). (and furthermore, I will never use his new domain manager service or any other).

How does he suppose to process claims without a user database backup is my only lingering question?

genjix and zhou: get a room. you belong together.

MagicalTux handled his shit last year, because he was a twenty-five year old man. Long-live MtGox.

Your passports are in my private repository (AES-256 encrypted), and the previous API access key was revoked. I'm the only person with access to such information now. Patrick et al. can request for the repository once they need it, but currently they don't.

Zhou Tong's hands are tied, because he no longer has access to the systems - as far as I can tell from what he has posted. He has also offered to take over the claims process and make everything right, but that was also rejected. Attacking him and his reputation isn't the way to proceed here.

To the person above, here's what happened:- Bitcoinica has an internet mailing list called info@bitcoinica.com- It was the email for the website and all sensitive accounts.- You could request a password for that email. In a production system, that should never be possible.- Several people had access to this mailing list (non-admins and business people included).- Patrick got added.- His personal email was compromised. Normally this shouldn't be a big deal; I use my personal email at internet cafes and public computers.- Attacker was able to request a new password and login to rackspace.

The assumption here was that info@bitcoinica.com did not have access to critical infrastructure.

Lastly, it was my fault Patrick's email server got compromised. I had a VPS for programming and development which many people had access to - randoms from #c++ IRC, people from this forum, beginners I was teaching .etc It's a public VPS for development. The SSH key on there was added to Patrick's server because we were developing the bitcoinconsultancy.com website on there (that's why it's now down). My SSH key was stolen and he ssh'ed into the box. Then had access to his emails.

Patrick requested him to be added because he wanted to reset server root passwords. And he did receive several email reset confirmations. Whether the email is his personal email or work email, it shouldn't matter. It's the same email that he use to receive the confirmations and all Bitcoinica sensitive emails.

The attacker didn't think the email account was a big deal either, until he saw the password reset confirmations. The hacker then found out the Rackspace Cloud username "bitcoinica" using the "forgot username" option, which means that the hacker didn't even initially realise the association between bitcoinica and the hacked email account.

EDIT:

I didn't blame Patrick for the email compromise. It's the hacker's fault, not his.

But Donald and Amir keep mentioning that the access control system is improper. Patrick is the only guy in Bitcoinica Consultancy who had access to critical data. I didn't give the permission to anyone else. And I didn't get compromised either.

If I was adding everyone to the mailing list, that would be unacceptable. But I added patrick@bitcoinconsultancy.com (which he told me), and you're telling me I should treat it as personal email and non-critical.

Have you talked to the hacker, or are you speculating on his reaction and the steps he went through.

Your passports are in my private repository (AES-256 encrypted), and the previous API access key was revoked. I'm the only person with access to such information now. Patrick et al. can request for the repository once they need it, but currently they don't.

Zhou Tong's hands are tied, because he no longer has access to the systems - as far as I can tell from what he has posted. He has also offered to take over the claims process and make everything right, but that was also rejected. Attacking him and his reputation isn't the way to proceed here.

How do a few passports help link usernames and passwords to account funds? They don't help. At all.

But I know grammatical errors when I see/read them and I'm seeing/reading a hell of a lot them in all these official/nonofficial posts. It's like I'm reading shit written by young adults who don't have a rudimentary command of the English language but keep trying their damndest to come across as educated blokes. Now, I'm not necessarily speaking of Zhou, for obvious reasons, but I feel (not sure) that his writting style has changed, as if somebody else is posting in his name. Reason I say this is because I've read words of which he's spelled correctly in the past, coupled with his current delivery seems odd (to me).

Forgive me if this has already been address, but I'm now only catching up, about nine pages out.

Back to reading this CF.

~Bruno~

After I moved to Australia, I changed the computer language to Australian English and my Mac autocorrected everything for me. It's handy when I need to write essays and business documents.

I always use American spelling online, but I didn't bother to change the settings or manually correct the spelling.

So I hope this explains something.

That makes perfect sense, Zhou. BTW, I'm going on record and state that I'm on Zhou's side and will remain so until I state otherwise. I'm going by actions but, moreover, feelings in my decision.

Now I'm really afraid that noone will receive their funds. People have asked several times about the backups, and every Bitcoinica former or current member conveniently avoided this topic. If there were any backups, I'm sure they'd want to answer their customers concerns as soon as possible. Avoiding this topic whatsoever is really, really fishy.

Up until yesterday you people were screaming about the owner, that you want to know who he is, several pages of bitching, now that he showed up, and he is not the criminal mastermind you expected him to be, you started with the backups, I wonder what you will come up with next.

bitcoinica socket puppet much? Every single post that you made in this thread is somehow an attack on those who wants transparency and REAL answers/solutions.

...In the land of the stale, the man with one share is king... >> Clipse